| 1 |
On Mon, Dec 31, 2012 at 9:42 AM, Tobias Klausmann <klausman@g.o> wrote: |
| 2 |
> Now before you reply, RTFA. Also note that while my own opinion |
| 3 |
> on the matter is irrelevant, I _do_ think that his concerns need |
| 4 |
> to be addressed, particularly the second half of his statement. |
| 5 |
|
| 6 |
SSL Certificate Authorities are a mess. Grab your favorite |
| 7 |
browser/phone/etc and take a look at the list of trusted authorities |
| 8 |
and tell me if you have even heard of half of them. If you look at |
| 9 |
the list on a mobile device that is more than a year old or so most |
| 10 |
likely it still has the compromised Diginotar certificates still on |
| 11 |
it, since nobody bothers to update most of these devices after they |
| 12 |
are sold (one or two brands notwithstanding). |
| 13 |
|
| 14 |
Mozilla of course happily packaged the Diginotar certificates because |
| 15 |
they paid the substantial fee and had the stack of paper that |
| 16 |
demonstrated that at one point in time they at least had something |
| 17 |
that resembled secure operations during a cursory audit. They have |
| 18 |
been steadily blocking providers like CACert for just as long as they |
| 19 |
had not demonstrated proper security theater. As far as I'm aware, |
| 20 |
the latter hasn't been handing out certificates for everything from |
| 21 |
GMail to Hotmail to random hackers. |
| 22 |
|
| 23 |
The certificates that Gentoo distributes have at least been vouched |
| 24 |
for by somebody who is a part of our community, which is more than can |
| 25 |
be said for most of the upstream certificates. |
| 26 |
|
| 27 |
The bottom line is that if you care about security that much, you will |
| 28 |
de-list all the CAs on your system and do your own audits (routinely), |
| 29 |
or white-list individual website certificates (again after whatever |
| 30 |
level of due diligence you feel is appropriate). Perhaps you might |
| 31 |
even hire somebody to do this work for you, but it will be somebody |
| 32 |
you actually pay, and who will therefore treat you as a customer. |
| 33 |
Make no mistake, you are NOT the customer of the CAs in your browser - |
| 34 |
you are their product, sold to various companies for $200/yr or |
| 35 |
whatever the going rate is. It really isn't that much different from |
| 36 |
advertising, if you want to get your message out, then you pay the |
| 37 |
gatekeepers for the privilege. |
| 38 |
|
| 39 |
My suggestion is to leave things alone, and by all means have a |
| 40 |
disclaimer on the ca-certificates package as Debian does. I'd rather |
| 41 |
not bundle any certificates than be a party to the |
| 42 |
hand-over-$10k-for-the-right-to-MITM-random-websites game. |
| 43 |
|
| 44 |
Rich |
Archives